Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll
-
Size
188KB
-
MD5
e2be33cb799cd823a2d88899971255d2
-
SHA1
f471630d1fea193e46192f024148f1ece1e19118
-
SHA256
de649fc31edc3e66987cd104284039da1537919f9e009b882b96a875a31a7662
-
SHA512
a7abfc80ac157001227f789d4e87aee316d9ad135c38fd8040436958373f52a7685d9da294923ec590cfa250d45cd1c76cf76e17229cdc1f23f71f6f394b5af1
-
SSDEEP
3072:MA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAomo:MzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1196-1-0x0000000075420000-0x0000000075450000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 748 1196 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4624 wrote to memory of 1196 4624 rundll32.exe rundll32.exe PID 4624 wrote to memory of 1196 4624 rundll32.exe rundll32.exe PID 4624 wrote to memory of 1196 4624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 6883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1196 -ip 11961⤵